One of the most high-profile incidents in the DeFi sector in 2026 continues to unfold, now entering the “second wave” phase — the laundering of stolen funds. The attacker, who previously stole around $292 million from the KelpDAO restaking protocol, has begun actively moving and legitimizing part of the assets through cross-chain tools and liquidity mixing.
According to analyst EmberCN, hackers have already “laundered 34,500 ETH (around $80 million)” after first moving approximately $175 million within the Ethereum network. This points to a systematic, multi-stage operation rather than a one-time withdrawal attempt.
A key element in the chain has been the cross-chain protocol THORChain, through which a significant portion of the stolen ETH was converted into Bitcoin. This operation sharply altered the platform’s metrics and effectively turned hacker activity into a short-term liquidity driver.
The impact on THORChain was immediate:
- daily trading volume surged to $360–394 million compared to the usual $20–35 million;
- fee revenue jumped to $420,000–456,000 per day versus roughly $5,000 previously.
In effect, the protocol achieved in a matter of hours what would normally take months of organic growth. However, this growth is toxic in nature: it is driven not by increased demand, but by the forced movement of large stolen assets.
Analysts also focused on the reaction of the Arbitrum network. After intervention and the partial freezing of funds (around 30,766 ETH worth over $70 million), the attacker accelerated the movement of assets to other networks. Experts believe that the freezing of part of the funds may have triggered a redistribution of capital and made further tracking more difficult.
According to Global Ledger, just hours after the freeze in Arbitrum, the attacker began actively transferring funds to the Ethereum network, indicating an attempt to bypass centralized control points and “dissolve” transaction traces within a more complex multi-chain structure.
The KelpDAO attack occurred on April 18, 2026, and was reportedly linked to a vulnerability in the LayerZero bridge. It triggered a chain reaction across the DeFi sector, affecting not only the protocol itself but also related lending and collateral markets.
Estimates from analytics firm LlamaRisk suggest that stolen assets totaling 89,567 rsETH (over $221 million) were used as collateral across various protocols. This led to a sharp reassessment of risk across the system and a drop in total value locked (TVL) in Aave by approximately $8.5 billion — down to around $18 billion. In effect, the market faced not only direct losses but also a domino effect through liquidation mechanisms and collateral repricing.
According to LayerZero developers, the attack was likely carried out by the North Korean hacking group Lazarus Group, which has previously been linked to major crypto exploits, including the $1.5 billion Bybit incident. This strengthens the view that attacks on DeFi infrastructure are becoming systemic.
The broader scale of the problem is underscored by Memento Research data: as of mid-April 2026, total losses in the DeFi sector have reached $795 million. Researchers describe the situation as a “persistent security crisis,” where attacks are no longer exceptions but recurring elements of the market infrastructure.
Ultimately, the KelpDAO incident goes far beyond a single protocol. It highlights several systemic weaknesses in DeFi: the vulnerability of cross-chain bridges, the dependence of liquidity on single points of failure, and the growing complexity of tracking stolen funds in a multi-chain environment.
All content provided on this website (https://wildinwest.com/) -including attachments, links, or referenced materials — is for informative and entertainment purposes only and should not be considered as financial advice. Third-party materials remain the property of their respective owners.